Cybersecurity News Headlines Update on August 27, 2021

White House Cyber Summit

On Wednesday, August 25, US President Joe Biden met with leaders in the technology, education, finance, insurance, and energy sectors to discuss ways to improve national cybersecurity. Major technology companies have pledged to take steps to drive technology supply chain security and to invest of billions of dollars in the expansion of zero-trust programs, improve open-source security, and other measures.

Note

  • The commitment includes more collaboration between private industry and NIST, which should increase the applicability of NIST standards making it easier to achieve commonality between the two sectors on security standards and practices: reducing the inherent challenges of verification of security across differing baselines. With all the high-tech initiatives on the agenda, it’s critical not to lose focus on the basics. Participants committed money and resources to make that happen. While many pledges are focused on education and training, Microsoft has also committed $150 million in technical services to help federal, state, and local governments upgrade their security practices.
  • Meetings like this sometimes involve classified information we may never see. It makes me wonder what any org would spend on security if they had a more complete picture of what goes on.

Read more in

Microsoft Fixed Security Issue in Azure Cosmos DB

Microsoft says it has mitigated a vulnerability in Azure Cosmos DB that could have been exploited to allow users to access other users’ resources. The flaw was present for approximately two years before Microsoft addressed it earlier this month. Microsoft was alerted to the issue by researchers from Wiz.

Note

  • Microsoft disabled the vulnerable feature on August 14th, and published the issue on August 26th. Microsoft advises users to regenerate their Cosmos DB primary keys, and leverage a vNET or firewall to further protect their Cosmos DB Accounts.
  • I have to give some credit to Microsoft about being open about this vulnerability. The advantage of SaaS is that the vendor will patch it for you. But this also implies that the vulnerabilities are never disclosed, and users are not aware that their data may have been exposed to these risks. Thanks, Microsoft, for being transparent.
  • Given how pervasive the cloud has become, I am happy to see that Microsoft reacted quickly to solve the issue. This level of commitment and response is exactly what cloud consumers are looking for when they inherit risk and put more trust on cloud providers.
  • One advantage of using the cloud is that the provider fixes the vulnerability once instead of every customer having to fix it, often across multiple systems.

Read more in

SteelSeries Device Installation App Bug Gives Windows 10 Admin Rights

Gaming peripherals and accessories maker SteelSeries has patched a vulnerability in its device installation app that could be exploited to gain Windows 10 system privileges. The. News of this issue follows a disclosure less than a week ago of a similar bug in Razer peripherals installation software.

Note

  • As I said last week with respect to the Razer mouse driver vulnerability: Allowing regular users to install drivers that are executed with elevated privileges is a bad idea. But I doubt this architectural issue will be fixable. Expect more of the same in future Newsbites.
  • An external emulator can be used to mimic HID device signatures, which will trigger the auto-installation of drivers or trigger the SteelSeries installer without the actual device. This time there is a hyperlink in the EULA which, when clicked opens IE with System privileges. The update from SteelSeries includes a work-around which disables the software auto-launch of their installer upon detection of a new SteelSeries device. Note that software to manage allowed/disallowed USB device connections often doesn’t allow you to block the connection of keyboards and mice. The long term fix for both be a trade-off between automatically installing drivers and the interruption requiring the user to grant explicit admin privilege granting at the time the installation happens.

Read more in

White House Directive: NIST to Develop Technology Supply Chain Security Framework

The White House has directed the National Institute of Standards and Technology (NIST) to “collaborate with industry and other partners to develop a new framework to improve the security and integrity of the technology supply chain.” The White House issued the directive after the August 25 Presidential Cyber Summit.

Note

  • This directive, coupled with the promised investment of money and resources from private sector participants Google, Microsoft, and IBM, will be key in producing a result in a timely fashion. Funding and private sector active participation are key to achieving the desired outcomes.

Read more in

Atlassian Fixes Critical Flaw in Confluence Server and Data Center

Atlassian has released a fix for a critical OGNL injection vulnerability affecting its Confluence Server and Data Center. The flaw “would allow an authenticated user, and in some instances unauthenticated user, to execute arbitrary code on a Confluence Server or Data Center instance.” The vulnerability is fixed in Confluence Server and Confluence Data Center versions 6.13.23, 7.4.11, 7.11.6, 7.12.5, and 7.13.0.

Note

  • Read the section describing what you need to do carefully. While the listed versions have fixes, you need to make plans to move to 7.13.0 (or later). If you cannot implement the update, there is a workaround script to provide a temporary fix until you do. Note that as you need to shutdown Confluence to apply that fix, it may be less disruptive to simply apply the update, allowing for a single service outage.
  • Atlassian/Confluence is often used to manage software development projects. If you need extra support from management to fix this: Call it a “Supply Chain” vulnerability (which it is). Interesting wording from Atlassian to say it can be exploited by authenticated and “in some instances unauthenticated” users. Nice form of advisory speak to tell you: Patch this quickly.

Read more in

Microsoft Publishes ProxyShell Guidance

Microsoft has published an advisory regarding three ProxyShell vulnerabilities affecting on-premises Exchange servers. Attackers have been exploiting these vulnerabilities since early August; several researchers and the US Cybersecurity and Infrastructure Security Agency (CISA) has urges users to apply patches. Microsoft says that users who have applied the May 2021 or July 2021 security updates are protected.

Note

  • Microsoft lists the conditions under which your exchange servers are vulnerable. The recommendation is to apply the one of the latest CU (Cumulative Update) and SU (Security Update). If you’re using Exchange Online – don’t click the done button until you are certain your hybrid Exchange servers are addressed. Verify those hybrid servers are still needed, and if they are needed only to support your migration to Exchange Online, retire them.

Read more in

F5 Releases Fixes for 13 High Severity BIG-IP Bugs

F5 has released fixes for 29 security issues in its BIG-IP and BIG-IQ devices. Thirteen of the flaws are rated high severity. One of those vulnerabilities, a privilege elevation issue affecting BIG-IP modules Advanced WAF (Web Application Firewall) and the Application Security Manager (ASM), is rated critical for users running BIG-IP in Appliance Mode.

Note

  • F5 recommends updating your BIG-IP appliances to at least BIG-IP 14.1.0 and your BIG-IP VEs to at least BIG-IP 15.1.0. Take a serious look at moving to BIG-IP 16.1.0 or higher which is repeatedly listed as having the fixes to the identified vulnerabilities. Note that some of the fixes will introduce a loss of functionality: read the supporting bulletins to verify any additional actions needed beyond the update itself. Where possible test these changes in non-production devices first.

Read more in

Cisco Fixes Critical Application Policy Infrastructure Controller Vulnerability

Cisco has released updates to address a critical flaw in the Application Policy Infrastructure Controller (APIC) interface in its Nexus 9000 Series Switches. The improper access control issue could be exploited “to read or write arbitrary files on an affected device.”

Note

  • There are no workarounds for this flaw. With the exception of Cisco APIC version 5.2, all other releases have update requirements. Making plans to update to version 5.2 are ideal. Ensure your hardware is sufficient, including memory, to support that version prior to attempting that update.

Read more in

FBI Alert Warns of Hive Ransomware

The FBI has released a TLP: White Flash Alert regarding the Hive ransomware, which has been used in at least 28 attacks, including the Memorial Health System in Ohio and West Virginia. The alert describes technical details about the ransomware and lists indicators of compromise.

Note

  • Read the IC3 notice to understand the behavior of this ransomware, including how it hides its actions, and IOCs to incorporate in your SIEM. Note that Hive deletes volume shadow copies including disk backup copies and snapshots. This is another case where data is exfiltrated and threats of publishing are used to further extort payment. Review your ransomware preparedness plan, making sure you’ve already established a connection/contact with your local FBI field office, rather than trying to figure that out when responding to an incident.

Read more in

Updates Available for B. Braun Medical Infusion Pump and Dock Vulnerabilities

Vulnerabilities in medical devices made by B. Braun could be chained together to allow an attacker to alter the rate at which medication is administered. The flaws affect B. Braun Infusomat Space Large Volume Pump and B. Braun SpaceStation infusion pump and docking station. McAfee found the flaws and notified B. Braun in January 2021. The company has issued updates to address the vulnerabilities.

Read more in

Cloudflare: Huge DDoS Attack

Cloudflare reports that in July, it detected and mitigated a distributed denial-of-service (DDoS) attack that maxed out at 17.2 million HTTP requests-per-second. The attack lasted less than a minute. Cloudflare says the attack was using more than 20,000 infected devices in more than 100 countries. The same botnet targeted a different Cloudflare customer last week with a maximum rate of eight million requests-per-second.

Note

  • Cloudflare’s DDoS mitigation service is separate from their CDN offering. It leverages their presence around the globe to detect, measure, and stop these activities. Customer traffic has to be routed through their system, which then dynamically builds rules to stop the attack at layer 4, rather than layer 7. The top network layer attacks are Syn, Reset, and UDP floods, with an emerging trend in network protocol attacks, including UDP Portmap and Quote of the DAY (QOTD). There seems to be a trend for shorter and more intense DDoS attacks that reactive SOC monitoring and response are not well suited for; automation is key here. Work with your DDoS vendor to tune your mitigation system based on your threat model.
  • The press loves “biggest DDoS attack ever” stories but many of the most damaging DDoS attacks weren’t brute force with high numbers of requests per second. The important point is where in your architecture have you put mitigation of denial-of-service attempts and do you regularly test your switchover to alternate connections or mitigation services?
  • DDoS attacks are now so commonplace that hosting an online service without DDoS protection is similar to not having spam filtering for your email. Criminals will continue to evolve their tools and techniques in this area which requires constant innovation by defenders.

Read more in

Misconfigured Microsoft Power Apps Portals Exposed Data

Earlier this year, researchers from Upguard discovered that misconfigured Microsoft Power Apps portals exposed millions of records. Power Apps offers application programming interfaces (APIs) which, when enabled, default to making the data publicly accessible. The compromised information includes COVID-19 contact tracing and vaccination sign-up data, and job applicant data, including Social Security numbers. Earlier this month, Microsoft announced that Power Apps portals will now store API and other data privately by default.

Note

  • If the data is in the cloud, better make sure you have your authorization controls in place. People will find it. In this case, Microsoft warns of weak configurations, but does allow them with a single click. Power Apps are intended to be used by non-coders to write applications. This audience may not fully understand the implications of the warning.
  • There is an old joke about a badly written manual on how to defuse a bomb that said, “Cut the blue wire after you cut the red wire.” Yes, the instructions were correct but the way it was worded guaranteed a dangerous result and a loud boom. Good to see that Microsoft abandoned its original “not a vulnerability, it is by design” to making it easier for security to be the default position.
  • Deny by default is a lesson we all need to learn, particularly as we move to the cloud. Verify access controls are as expected. As much as we trust large service and application suppliers such as Amazon, Microsoft, Oracle, Google, always verify and monitor the security is as described and remains so. At the end of the day, it matters more to detect and address insufficient access controls than to find out your data is exfiltrated and for sale.
  • Developers exhibit a strong preference for convenient defaults over safe ones; they have been trained by users that are more likely to complain about “hard to use” than “risky to use.” Until and unless they can be retrained, users may not assume that products are “safe out of the box.”

Read more in

CISA Issues Urgent Alert to Patch ProxyShell Vulnerabilities

Over the weekend, the US Cybersecurity and Infrastructures Security Agency (CISA) issued an urgent alert warning that “Malicious cyber actors are actively exploiting … ProxyShell vulnerabilities.” Microsoft released fixes for the flaws in May.

Note

  • If you still find an unpatched and exposed Exchange server, walk away from it… who knows how many attackers are already fighting for it. “Cleaning it up” will be impossible. Or as they say, “nuke from orbit.”
  • The amount of abuse your organization will take for running something like Exchange in-house keeps going up. As Dr. Ullrich said in today’s Stormcast, “If you haven’t patched yet, don’t bother – just move on.”
  • All three vulnerabilities (CVE-2021-34473, CVE-2021-34523 and CVE-2021-31207) are fixed in Microsoft’s May security update. Make sure you’re applying the monthly updates. Updates for Windows 10 are cumulative, so August’s updates also include these fixes.

Read more in

Razer Installer Gives Users Windows 10 SYSTEM Privileges

An unpatched vulnerability in the Razer peripherals installer grants users full administrative rights on Windows 10 systems. When a Razer device is plugged in, Windows automatically downloads an installer with driver software and the Synapse utility.

Note

  • Incident responders should add an investigation of locally installed Windows drivers to their playbooks (C:\Windows\System32\drivers). Privilege escalation through vulnerable drivers is a systemic problem for Windows, and one that requires significant re-architecting to prevent. We’ll likely see a lot more of these vulnerabilities in the future.
  • This exploit leverages Window’s automatic installation of drivers and requires local access to the system to interact with the installer. By using the installer’s option to select where the software is installed, coupled with the Windows explorer option to ‘Open PowerShell window here,’ that shell is opened with the privileges of the installer; in this case System. Razer is publishing an update which addresses the vulnerability, as well as providing the researcher with a bug bounty, even though this was disclosed.
  • First printer drivers, now mouse drivers. The ability of normal users to install code that will later be executed by a higher privileged user is very dangerous and I am sure this pattern will continue to provide interesting vulnerabilities in the future.

Read more in

Realtek SDK Vulnerabilities are Being Actively Exploited

Threat actors are actively exploiting vulnerabilities in the Realtek Software Development Kit (SDK). Realtek disclosed the flaws and released fixes on August 15. Researchers from IoT Inspector published details about the vulnerabilities the following day. The issues affect devices from 65 vendors.

Note

  • IoT Inspector found about a dozen vulnerabilities and their report lists about 200 types of affected devices including routers, IP cameras, Wi-Fi repeaters and gateways. They also include queries to discover the devices using Shodan. Restrict network access to only authorized devices/users, disallowing Internet access where possible to mitigate risks of exploiting default/hard-coded credentials as well as other attack vectors. Leverage the IOCs in the IoT Inspector report to augment your detection/response capabilities.
  • In light of these supply chain attacks, buyers should demand information about the provenance of the software in products they might purchase. The provenance must include not only a “bill of materials” for the product but also information about the tools and processes used to build it. Only then are they in a position to assess and mitigate their exposure to these attacks.

Read more in

Nokia Subsidiary Suffers Ransomware Attack

A Nokia subsidiary, SAC Wireless, has disclosed that it was the victim of a ransomware attack during which the criminals also stole data. SAC Wireless helps customers design and build cellular networks. The compromised data include contact information government ID numbers, employment information, health information, tax return data, and digital signatures.

Read more in

US State Department Reportedly Experienced Cybersecurity Incident

The US State Department reportedly experienced a cyberattack that prompted notification to the Defense Department’s Cyber Command. The incident does not appear to have had an effect on State Department day-to-day operations, but few other details have been made available. The State Department was one of several government departments that a Senate report criticized for failing to meet “the basic cybersecurity standards necessary to protect America’s sensitive data.”

Note

  • Earlier this month, an audit report was released citing State and six other agencies for having weak security practices, in effect a guide for the sorts of practices to target for a successful exploit. When you are the recipient of a negative report like that, you need to create a prioritized remediation plan and start closing findings well ahead of the publish/release date to get ahead of those inevitable attacks.

Read more in

Stolen Funds Returned to Poly Network

The thief who stole more than $600 million in cryptocurrency from the Poly Network has returned all of the funds. Poly Network is now in the process of restoring asset control to users.

Note

  • The attacker returned the pilfered funds as well as the bounty Poly Network paid ($500,000) to their wallet. Poly also offered him the position of “Chief Security Advisor” although it’s not clear if the offer will be accepted. It’s not a bad idea to leverage the hacker’s skills and mindset to find ways to improve and maintain security. The trick will be finding a way to build and maintain trust. A risk-based decision is needed in this scenario to determine if the oversight needed to ensure the hacker doesn’t cause added harm is worth the offset in security to reduce the likelihood of further incidents.
  • If one cannot spend it, one might as well return it to those who can. While we may not be able to regain control of funds in destination accounts, we can blacklist the accounts so that the money cannot be spent or transferred.

Read more in

Liquid Crypto Exchange Theft

Thieves have stolen nearly $100 million from the Japanese cryptocurrency exchange Liquid. The company is tracking the stolen funds and working with other exchanges to freeze the stolen assets.

Note

  • For several years, the list of “cryptocurrency” compromises has grown much faster than the list of legitimate companies accepting them. I think a better way to describe most of these is to call them “dissolvable currencies” – the “crypto” term was worked in to imply strong levels of safety, which is almost never the case.
  • In 2014, Tokyo-based Bitcoin exchange Mt. Gox lost over $400 million in a crypto heist, which resulted in Japan’s legislators passing a law to regulate Bitcoin exchanges. Japan also recognizes Bitcoin and other digital currencies as legal property under their Payment Services Act (PSA). This helps support the actions to freeze accounts and stop movement of pilfered assets. The attackers are then using decentralized exchanges, outside Japan, to avoid being frozen.
  • When we use the expression “crypto” we imply “cryptographically” secure; the cryptography is working as intended. However, cryptography is never more secure than the environment in which the keys are stored and protected. Thus we see that the distributed ledger is working as intended but wallets and exchanges are being compromised. These are no stronger than the lockwords that are chosen by human beings to protect the private keys. Choose carefully. Prefer exchanges that offer strong authentication.

Read more in

BlackBerry QNX RTO BadAlloc Vulnerability

The US Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert warning of a vulnerability affecting BlackBerry’s QNX Real Time Operating System (RTOS). The issue is due to an integer overflow in the C Runtime Library and is one of the vulnerabilities in a group of flaws known as BadAlloc.

Note

  • Assessing the impact of this vulnerability is very difficult. BlackBerry QNX is used in various devices: medical, industrial, automotive and more. The vulnerability is only exploitable if it is exposed via software running on a BlackBerry QNX device. This software is likely not part of BlackBerry QNX but created for a particular device. First try to get a handle on which devices actually use BlackBerry QNX in your environment, or if you use it in any products. The safe option is to patch regardless of exposure. Finally, any devices like this should always be segregated as much as possible.
  • The wide variety of embedded systems with QNX means updates are not going to be available at a specific point in time. Make sure only authorized connections are allowed, and apply the updates when available. Monitor for malfeasance or other signs of tampering.

Read more in

Fortinet FortiWeb Web App Firewall Vulnerability

A command injection flaw in the FortiWeb web application firewall could be exploited to gain elevated privileges and take control of vulnerable devices. The vulnerability was detected and disclosed by cybersecurity firm Rapid7. The flaw affects the FortiWeb management interface versions 6.3.11 and older. Fortinet plans to release FortiWeb version 6.4.2 before the end of August.

Note

  • A patch will hopefully be released soon. But the vulnerable web based admin interface should not be exposed anyway, limiting exploitability.

Read more in

T-Mobile Discloses More Information About Data Breach

T-Mobile has released additional details about a data breach that com[promised customer information. The incident affected more than 48 million people. The compromised data include names, dates of birth, Social Security numbers, and driver’s license numbers. The names, phone numbers, and PINs of an additional 850,000 customers were also compromised. T-Mobile has reset PINs on compromised accounts.

Note

  • T-Mobile, like other carriers, requires a full credit check across all three credit agencies for any new postpaid account. In supporting these credit checks, carriers are building large targets that are impossible to protect. The cost of this leak will be minimal to T-Mobile and is unlikely to change any behavior. As a consumer: Freeze your credit file, make it painful for companies like T-Mobile to make you a customer and maybe eventually they will realize that some fraud is less costly then storing excessive amounts of information that they do not know how to protect.
  • Of the 48M people impacted, almost 40M weren’t even current T-Mobile customers but the data was still stored and left unprotected. The GDPR regulations require data minimization be followed in data collection, defined as “limited to what is necessary in relation to the purposes for which they are processed” but unfortunately the mish-mash of outdated national privacy and fraud regulations in the US does not. The compromise of PIN numbers meant those 850,000 customers were vulnerable to SIM-swapping attacks.
  • Retention of data, particularly for past customers is tricky with privacy laws. The mantra needs to be keep data for the minimum possible time. Make sure that you have clear retention policies, and they are followed, now update those processes and policies to incorporate relevant privacy laws. If you are archiving old data, monitor access to that archive carefully.
  • It appears that this breach could be similar to the OPM breach of 2015. In that breach, one of the biggest issues is OPM had thousands if not millions of records online that were no longer needed. It appears the same could be for the T-Mobile breach, with data on almost 40 million people who are no longer T-Mobile customers, or never even were. The first rule of data security is the best way to secure data is not to collect / store the data.

Read more in

Kalay P2P SDK Vulnerability

Researchers from Mandiant and the US Cybersecurity and Infrastructure Security Agency (CISA) have disclosed an improper access control vulnerability in ThroughTek’s Kalay P2P Software Development Kit (SDK), which is used in tens of millions of devices. The flaw affects Kalay P2P SDK versions 3.1.5 and earlier. To address the issue, users will need to enable two optional features: the encrypted communication protocol DTLS and the API authentication mechanism AuthKey.

Note

  • If there is a theme this week, it is SDK vulnerabilities. Kalay, ThroughTek and in some ways BlackBerry QNX fall into this category. The product itself may only be vulnerable if specific features in the SDK are used by third party software, making it difficult to identify vulnerable devices. The Kalay vulnerability is probably the easiest one to identify as it is linked to the use of the specific P2P protocol.
  • This is a “supply chain” issue in which the end user is unlikely to know that he is using affected products.

Read more in

Google Project Zero Discloses Windows Privilege Elevation Vulnerability

Google Project Zero disclosed a privilege elevation flaw in Windows just six weeks after notifying Microsoft of the issue. Project Zero normally waits 90 days before disclosing a vulnerability, but on July 18, Microsoft had indicated that it did not intend to issue a patch for the flaw. When a vendor says they do not plan to patch the vulnerability, Project Zero designates it as ”WontFix” and treats it as a non-security bug. However, on Wednesday, August 18, Microsoft said it would release a fix.

Note

  • So far, no information from Microsoft on why they originally decided this was not a security flaw, even though in July they did issue a patch for a very similar vulnerability in Windows, or why a month later they changed their mind. When a vendor declares they will not patch a proven exploitable flaw, disclosure has to happen in order for vulnerable users to take mitigation steps and for security vendors to add capabilities to detect and block attempts to exploit.

Read more in

Cisco Has No Plans to Patch Critical Flaw in Older SMB Routers

Cisco says it will not release a fix for a vulnerability in the Universal Plug-and-Play (UPnP) service that could be exploited to execute arbitrary code or create denial-of-service conditions. The affected products have reached end-of-life and users are being encouraged to migrate to newer routers. There are no workarounds, but users can disable UPnP on affected devices.

Note

  • These routers are no longer supported, and have not been supported by Cisco for a while. You may still mitigate the vulnerability by disabling UPnP. UPnP should be disabled anyway. But in general: Track the EoL status of any equipment in your network. Not all vendors will even announce vulnerabilities once a device is no longer supported. When purchasing equipment: Note the EoL date and do not purchase equipment if a vendor is not willing to commit to a minimum support time frame.
  • Lifecycle replacements, particularly for something which “isn’t broken” are a hard sell, particularly for SMB where margins are already tight. While we can argue the breach is more expensive than the fix, working with management to include these with other capital improvements in the long term budget lessons the blow. Prioritize replacements based on accessibility. Short term, there is no fix; if you have one of these devices (RV110W, RV130, RV130W or RV215W) replace it with a current model now.
  • I’d be willing to bet that Cisco isn’t pushing a fix since these orgs simply do not demand it. Small and Medium Businesses often don’t have dedicated IT staff, let alone security staff to identify issues like this. If the router works and the business believes they are “too small to target” (or they don’t know they are vulnerable), there’s no push to fix. SMB is a in a tough spot as usual.

Read more in

Commerce OIG: Census Bureau Mishandled Cybersecurity Incident

An audit report from the US Department of Commerce Office of Inspector General examined the US Census Bureau’s response to a January 2020 cybersecurity incident. The report found that “the Bureau missed opportunities to mitigate a critical vulnerability, which resulted in the exploitation of vital servers.” In addition, the Bureau was operating unsupported servers; failed to maintain adequate logs, hindering the investigation; and failed to “discover and report the incident in a timely manner.”

Note

  • Lots to unpack here. Patching, lifecycle management, monitoring, and incident reporting are all key cybersecurity activities. With EO14028 pushing for Zero Trust, as well as increased incident response and communication, these basic activities have to be addressed, and not all agencies are prepared. Begin with a discovery activity to make sure you know all your assets and what they do, then move to patching. While you’re touching things, make sure they are sending logs to a centralized repository, and have your SOC monitor and create alerts. DHS/CISA have resources you can leverage to help with this as well as reporting.
  • As is usually the case, there are cautions for us all in these public audit reports.

Read more in

Protecting Sensitive US Data During Withdrawal from Afghanistan

Some security experts say that the US withdrawal from Afghanistan poses minimal cyber risks. Others are concerned about data shared with Afghanistan’s government, non-governmental organizations (NGOs), and others. The US Department of Defense (DoD) Office of Inspector General has released a management advisory offering guidance for protecting data during the US withdrawal.

Note

  • Embassy personnel are actually trained on emergency destruction processes to leave no useable systems or data (digital or paper) behind. With today’s practices, where more and more data is cloud based, when leaving a facility, it’s important to make sure that no information is left behind which could be used to access or recover an account to access that data. Sweep your old facility before handing it over to ensure nothing is overlooked.

Read more in

Texas Police Dept. Lost 8TB of Data During Migration

The Dallas, Texas, Police Department has disclosed that it lost 22 terabytes of data during a network drive migration earlier this year. Fourteen TB were recovered, but 8TB “are believed to be unrecoverable,” according to a statement from the Dallas County Criminal District Attorney’s office. The affected data include criminal case files created prior to July 28, 2020. The Dallas Police Department (DPD) and City of Dallas Information and Technology Services Department (ITS) notified the DA’s office on August 6.

Note

  • Business interruption from accidents and other self-inflicted wounds isn’t as sexy as cyber attacks but is equally as likely to happen and equally as disruptive in many cases. Any talk of “resiliency” needs to include critical IT operations that can put data at risk, and the processes need to be tested – just like testing the switchover to UPS power or backup internet connections periodically to make sure they work correctly.
  • Irrespective of how you are migrating, be certain you not only have backups, but also are able to restore them fully. Some technology is harder to restore and some restore operations don’t put files back where they originated. Run annual tests to make sure you really can restore the technology mixes in your environment. Lastly, make sure migration plans include a full function test before retiring the old.

Read more in

Colonial Pipeline Notifies 5,000+ People Their Data Were Compromised in Ransomware Attack

Colonial Pipeline has sent data breach notifications to 5,810 current and former employees, informing them that their personal information was compromised in the May ransomware attack that shut down the company’s operation for several days. The affected data include government-issued ID numbers and health-related information.

Note

  • Even though Colonial paid the ransom, the data was still exfiltrated. The question now becomes one of do you report a data loss even after the ransom is paid and the attacker “promises” to delete your data. For sensitive data, err on the side of caution, notifying impacted parties and offering credit protection is the honorable thing to do. The compromised information, the company says, includes names, birth dates, contact information, driver’s license information, Social Security numbers, government-issued ID (such as military ID and tax ID), as well as health-related information, health insurance information included.
  • In every large scale incident response investigation there will be tremendous pressure to provide rapid answers about the implications of a breach. Getting the analysis correct to provide informed answers takes time though, and it’s positive to see Colonial Pipeline continuing their investigation so thoroughly.

Read more in

Ransomware Actors Exploiting PrintNightmare Vulnerabilities

Ransomware groups are exploiting PrintNightmare Windows Print Spooler vulnerabilities to infect targeted systems. The flaws can be exploited to execute arbitrary code which helps the threat actors alter data, create new accounts, and move through networks. Microsoft has released fixes for two of the vulnerabilities and a workaround for the third.

Note

  • Make sure that you’ve pushed out the fixes from Microsoft. Include checking for the fixes in your VPN posture check if possible. Triple check that you’re monitoring for IOCs and SMB is still blocked at the perimeter, to include Internet facing servers.

Read more in

Memorial Health System Cyber Incident Leads to EHR Downtime at Multiple Facilities

A healthcare system serving parts of West Virginia and Ohio was the target of a cyber incident on Sunday, August 15. Memorial Health System comprises 64 clinics, including three hospitals; all are operating under electronic health record (EHR) downtime. Urgent surgeries and other procedures have been cancelled, and emergency cases at some Memorial Health System facilities are being diverted to other hospitals.

Note

  • Hospitals are organizing into groups in order to enjoy efficiencies of scale, both in medicine and management. IT in general, and IT security in particular, is just one area that may benefit. However, consequences increase with scale. Cost of attack must increase with scale or risk surely will. This is an illustrative case. Note that EHR detail will be lost forever.

Read more in

SEOPress WordPress Plugin Vulnerability Fixed in Version 5.0.4

The developers of the SEOPress WordPress plugin have fixed a cross-site scripting (XSS) vulnerability that could be exploited to take control of unpatched websites. SEOPress is installed on more than 100,000 sites. Users are being urged to update to SEOPress version 5.0.4.

Note

  • The fix was released August 4th, and firewall rules were released to the paid Wordfence version July 29th; free versions will have rules August 28th. The flaw, now fixed, was the REST-API code to verify access used a nonce which could be generated by any authenticated user, not just the intended authorized user group.

Read more in

Pearson Settles SEC Charges for $1M

The US Securities and Exchange Commission (SEC) said that UK-based education publishing and services company Pearson has agreed to pay a $1 million civil penalty “to settle charges that it misled investors about a 2018 cyber intrusion involving the theft of millions of student records, including dates of births and email addresses, and had inadequate disclosure controls and procedures.”

Note

  • I think Pearson UK’s recent annual profit has been in the $4-5M range, so a $1M fine is significant, but I think the SEC can go as high as $25M in institutional stock price manipulation fines. Those lists of risk in SEC reports have turned into the long lists of possible side effects for every new drug – corporate lawyers are happy but pretty useless information for anyone trying to make a decision. Bigger fines to make CFOs and boards more proactive in making sure the reporting is honest would be a very good thing.

Read more in

Realtek SDK Vulnerabilities

Multiple vulnerabilities in software development kits (SDKs) from Realtek affect nearly 200 IoT products from more than 60 vendors. The flaws could be exploited to execute code with the highest privileges. Realtek was notified about the flaws in mid-May and began making patches available several weeks later.

Note

  • Affected Realtek hardware (and with that, software derived from its SDK) can be found everywhere. I see the list of affected vendors as a tip of the iceberg. Watch out for firmware updates for various WiFi gear like routers and cameras. Updates to this type of equipment are often not well advertised. Try to do a “Patch Day” a month, or at least once a quarter where you check for updates to your home network routers.
  • My personal experience as a pen tester for IoT technology has shown that SDKs are often problematic, creating systemic vulnerabilities for the vendors that adopt the underlying architecture. Product vendors need to remember that they are responsible for the security of the product end-to-end, not just the parts they develop internally but also for the third-party libraries, utilities, and SDKs they utilize. Static source code analysis (where possible) and penetration testing efforts are valuable for vulnerability discovery prior to product launch.
  • There is no way that end users can protect themselves from vulnerabilities originating far down in the supply chain. We must hold suppliers accountable.

Read more in

T-Mobile Acknowledges Data Breach

T-Mobile has acknowledged that company servers were breached and is investigating reports that customer data were stolen. An underground forum is reportedly offering a large cache of personal data for sale.

Note

  • The breached data reportedly includes social security numbers, phone numbers, names, physical addresses, unique IMEI numbers, and driver license information – sufficient information for either identity theft or cloning phones. T-Mobile reports they have fixed the issue which lead to the compromise. If you are a customer, you need to make sure that you’ve implemented both available security controls on your account and identity protection.
  • Maybe T-Mobile will learn that data isn’t just an asset but also a liability. T-Mobile is asking for credit checks with all three major credit companies just to sign up for a wireless plan, collecting persona information to facilitate these checks. But maybe they will get away with it yet again.
  • According to Krebs, the damage borders on the catastrophic. T-Mobile is following e-Bay: “the less said, the better,” rather than Target: transparency.

Read more in

Linux GNU C Library Bug Fix Introduced Another Security Issue

A fix released in June for a bug in the Linux GNU C Library (glibc) introduced a more serious vulnerability. The original vulnerability could lead to application crashes. The fix for that vulnerability introduced a bug that could trigger a segmentation fault within the library. That issue could crash all apps using the library and is much easier to exploit than the original flaw. Users are encouraged to upgrade to glibc version 2.34 or higher.

Read more in

Microsoft Patch Tuesday Includes Fix for Actively Exploited Vulnerability

On Tuesday, August 10, Microsoft released fixes for 44 security issues. The batch includes patches for three security issues affecting Windows Print Spooler. One of the flaws (CVE-2021-36948), a privilege elevation issue affecting the Windows Medic Update Service, is being actively exploited.

Note

  • The latest PrintNightmare patch does reduce functionality by no longer allowing users to provide print drivers. But even with this change in functionality, the print nightmare isn’t over yet. A new print spooler-related vulnerability was disclosed, including PoC exploit, affecting clients connecting to compromised print servers. The vulnerability could be used for local privilege escalation (e.g., an attacker setting up a malicious print server to connect to in order to escalate privileges on a compromised system). At the same time, older print nightmare issues are actively used by ransomware gangs.
  • Microsoft is now enforcing requiring admin rights to install print drivers rather than making that an optional second step. The Windows Update Medic Service is a new service which aids fixing windows update when it gets broken so users will continue to receive updates, removing the long string of workarounds needed to fix it. That fix alone is worth deploying the update.

Read more in

New Windows Print Spooler Bug (CVE-2021-36958)

A day after its monthly patch release, Microsoft has disclosed yet another vulnerability affecting Windows Print Spooler. The privilege elevation/remote code execution vulnerability “exists when the Windows Print Spooler service improperly performs privileged file operations.” The CERT Coordination Center has issued a vulnerability note.

Note

  • Until a patch is released, there are two mitigating steps: first, block SMB shares at your perimeter, which you should already be doing; second, disable the print spooler service. Disabling the print spooler disables local and remote printing, so disable it on systems which don’t need to print, particularly domain controllers and servers which aren’t print spoolers.

Read more in

GitHub Is No Longer Accepting Passwords to Authenticate Git Operations

As of August 13, 2021, GitHub will require token-based authentication to authenticate Git operations. People still using usernames and passwords for authentication must move to a personal access token over HTTPS or SSH key. Users who have already enabled two-factor authentication for their GitHub accounts will not be affected by the change.

Note

  • For some organizations, this transition is going to be problematic or even an interruption in service, but this kind of painful transition is what we need as an industry to force the transition to password-less authentications strategies. Bravo, GitHub.
  • One more area to make sure that you aren’t using passwords. Make sure that you’ve updated all your accounts, particularly those used with automated processes to ensure you don’t have a service interruption.
  • Every movement away from reusable passwords raises the bar against the vast majority of successful attacks. If your software development process includes use of GitHub, use this as a justification for hardening authentication across your entire software development and maintenance lifecycle.

Read more in

Thief Who Stole $600 Million from Poly Network Plans to Return It

An individual who stole more than $600 million worth of cryptocurrency from Poly Network is returning the funds. Poly Network is a decentralized financial platform that facilitates cryptocurrency/blockchain exchanges. The thief exploited a vulnerability affecting cross-chain smart contract transactions. So far, $260 million of the stolen funds has been returned to Poly Network.

Note

  • This was not a private key compromise but rather a vulnerability in the contract transaction application. Poly Network has taken steps to repair the vulnerability and was able to identify the destination wallet funds were transferred to, and ultimately the attacker’s mailbox, IP, and device fingerprints through on-chain and off-chain tracking, which hampered the thief’s ability to further move the purloined funds. Full repayment should not be expected.
  • PayPal has been around for over 20 years now, many other payment systems for more than a decade, and there have been very few major security incidents, let alone anywhere customers had to depend on the thieves returning funds! The end-to-end cost of transactions over cryptocurrency exchanges is not much lower; the risk is much higher.

Read more in

Some 5G Networks are Using 4G Infrastructure

While mobile devices may say they are connected to 5G, they may be connected to non-standalone 5G architecture, which piggybacks on 4G network infrastructure. As a result, users may not be getting the level of security that 5G purports to offer, notably protection from IMSI catchers. Relying on 4G infrastructure also makes the devices vulnerable to tracking, eavesdropping, and downgrade attacks.

Note

  • Backwards compatibility has been an issue with cell phone networks in the past in that attackers were able to trigger downgrades from more secure technologies like LTE to 3G or even GPRS. 5G mixed networks are a transition solution and will hopefully be replaced soon by pure 5G networks taking advantage of the full feature set including security options. Some carriers are already advancing this transition.
  • Moving to 5G requires updates and replacing equipment. To get started, providers are adding 5G to their existing 4G network. Stand-alone implementations are planned for the future. As part of that effort the 3G services a need to be retired to make room for new separate 5G gear; those retirements are planned for the fall of 2022.

Read more in

Scripps Health Cyberattack Led to EHR Downtime and $110M in Losses and Expenses

A ransomware attack that targeted Scripps Health in California resulted in more than four weeks of electronic health record (EHR) downtime and more than $110 million in losses and expenses. When the attackers gained access to the Scripps system on April 21, 2021, they stole data; the ransomware was deployed several weeks later.

Note

  • Exfiltrating data prior to a ransomware attack is becoming SOP. Early detection of both malicious activity and unexpected data transfers need to be part of your ransomware preparedness plan. Focus first on your known sensitive data repositories, whether personnel or IP, then extend your protections based on risk. Be prepared to discover unexpected collections of data, and don’t overlook files stored locally by users.
  • Another data point about cybersinsurance with this disclosure: it appears Scripps carried $20M in cyberinsurance which was still less than the estimated $21M recovery costs and obviously didn’t come close to covering the $91M in lost revenue. A $20M policy probably cost Scripps close to $1M with a $1M deductible – so the cost of the $20M insurance policy payout was $2M. Not enough public info to estimate costs to avoid the downtime, but quite often the cost of self-insuring is not much higher than the insurance costs – and the cost of avoidance covers more than just the current year.

Read more in

OMB Memo: Federal Agencies Have 60 Days to Identify Critical Software

A memo from the US Office of Management and Budget (OMB) directs federal agencies to “identify all agency critical software, in use or in the process of acquisition” and begin the process of securing it. Agencies have one year to implement security measures established by the National Institute of Standards and Technology (NIST) to the identified software.

Note

  • The trick here is the definition of critical software is broad and can be read to include the OS, firmware and all your development tools. The memo allows for a phased approach while the specifics are worked out. Keep an eye on refinements from NIST.

Read more in

H-ISAC Alert Warns of Attacks Leveraging Right-to-Left Override

The Health Information Sharing and Analysis Center (H-ISAC) has published an alert warning of increased phishing schemes that exploit a legitimate Unicode feature to evade detection. The Right-to-Left Override Unicode character supports languages that are read right-to-left; the feature can be abused to make malicious files appear benign.

Note

  • As this is abusing built in intended functionality, preventative controls aren’t an option. Instead, make sure that your detection tools are watching for common abuse formats of RTLO characters within filenames such as \u202E, [U+202E], and %E2%80%AE. Also check your analysis tools to ensure they do not interpret the RTLO character and instead print the true name of the file containing it.

Read more in

Firefox 91 Includes New Privacy Features

Mozilla released Firefox 91 on Tuesday, August 10. The most recent version of the browser includes two new privacy features: enhanced cookie clearing and HTTPS by default in private mode. The enhanced total cookie protection lets users “easily delete all cookies and supercookies that were stored on [their] computer by a website or by any trackers embedded in it.” HTTPS by default in private mode does exactly that: “automatically establish[ing] a secure, encrypted connection over HTTPS whenever possible.”

Note

  • Turning on Strict Tracking Protection to enable this doesn’t seem to cause much breakage. Still takes a motivated user to enable all this but consumers are increasingly demanding higher levels of privacy and all the browsers are moving to higher levels by default – a very good thing.
  • Once privacy/anti-tracking features are in place, adoption will require user training and encouragement. While the impacts have been nominal, make sure the help desk staff have actually removed cookies associated with corporate, on premise, and cloud, services to better understand the user experience.

Read more in

Adobe Releases Updates for Magento and Adobe Connect

Adobe has released updates to address 26 vulnerabilities in the Magento e-commerce platform; 20 of the flaws are rated critical. Adobe has also released updates to address three vulnerabilities in Adobe Connect.

Read more in

Attackers Scanning for Microsoft Exchange ProxyShell Vulnerabilities

Threat actors are actively scanning for Microsoft Exchange ProxyShell vulnerabilities. Microsoft released fixes for the three vulnerabilities in April; advisories were published in May and July. Technical details about the flaws were disclosed at the Black Hat conference last week.

Note

  • Three CVEs are being leveraged to exploit the vulnerability: CVE-2021-34473, CVE-2021-34523, and CVE-2021-31207. The first two were patched in April’s Exchange KP5001779 cumulative update, the third in the May KB003435 update. Make sure that you’ve applied the current Exchange updates, and that you’re leveraging Azure Sentinel to check IIS logs to the “/autodiscover/autodiscover.json” and “/mapi/nspi/” strings to detect targeting of your servers for exploitation of the vulnerabilities.
  • Orange Tsai’s talk at Defcon outlined a whole family of possible new vulnerabilities in Exchange. It is unlikely that ProxyShell will be the last such vulnerability. Keep your Exchange patching playbooks handy. It would not surprise me to have Microsoft patch more critical Exchange vulnerabilities later today (or in the next couple months).

Read more in

Joplin, MO, Paid Ransomware Demand

An insurer for the city of Joplin, Missouri, paid a $320,000 ransom after the city’s network was the victim of a ransomware attack in July. A statement from Joplin’s city manager said the demand was paid to keep stolen data from being released, and that “the city has restored nearly every system and the associated data needed to resume normal operations.”

Note

  • Note that even after paying the ransom, the city will have to incur the costs to notify all possibly impacted citizens and offer them the usual credit/identify theft monitoring services, and remedy the deficiencies that enabled the ransomware attack to succeed. Since the attackers had control of that data, a breach occurred – the hope is the extortion payment lessens the harm to the citizens. But the payment does not reduce the costs the city will incur.

Read more in

Pulse Secure Releases Updated Fix for VPN Appliances

Pulse Secure has released an updated fix for a vulnerability that was inadequately patched last year. The critical post-authentication remote code execution vulnerability affects Connect Secure VPN appliances.

Note

  • Luckily, a new CVE number was assigned to this issue. But in some ways, it is due to an incomplete patch released for a vulnerability last year. Do not get confused by this and make sure you patch. The original vulnerability was heavily exploited.
  • Pulse Secure initiated external rigorous code review and discovered six vulnerabilities which have been fixed it their 9.1R12 firmware update. The update also provides the ability to run their integrity checking tool without incurring downtime, which was a downside with prior actions needed to detect compromise. That improvement alone warrants raising the priority of applying this update.

Read more in

Google Play Store Changes

As of August 1, developers who wish to publish new apps in the Google Play Store will need to use the Android app bundle (AAB) framework instead of the Android Package (APK), which had been the standard before AAB was introduced in 2018. The AAB standard allows for “streamlined releases and advanced distribution features.”

Note

  • The AAB format allows applications to be optimized for delivery to different platforms, reducing the footprint for apps on smaller devices. Coupled with Play Asset Delivery and Play Feature delivery, which replaces unsigned OBB application expansion files for dynamic delivery of added features and content with signed distribution APK, the goal is to improve the overall application delivery and security. Google’s Play Store is the only app store which currently supports these features, so read the guidance from Google if you need options for delivery on other distribution channels.

Read more in

PCI Security Standards Council and Cloud Security Alliance Joint Bulletin

A joint bulletin from the Payment Card Industry Security Standards Council (PCI SSC) and the Cloud Security Alliance (CSA) aims to “educate stakeholders on the importance of properly scoping cloud environments and good cloud security measures for payment security protection.” The bulletin includes lists of resources from both organizations.

Note

  • There really isn’t anything new in this bulletin that isn’t in the 2018 PCI SSC Cloud Computing Guidelines. The key sentence in the bulletin: “Data breach investigation reports continue to find that organizations suffering compromises involving payment data were unaware that cardholder data was present on the compromised systems.” Whether it is on premise or in the cloud, if you don’t know where critical data is you cannot protect it. Persistent encryption that happens at the source of the data is needed, which in turn needs Multi Factor Authentication to be in place to assure only authorized parties can decrypt.
  • The message is to understand what your Cloud Service Provider (CSP) is doing, where your payment data is processed, and apply the same governance to the cloud implementation of payment processing as you did to on-premise implementations. The PCI-CSA bulletin provides guidance to follow and questions to ask as well as resources such as the CSA CCM which you can leverage to assess your cloud implementation.
  • The payment card industry continues to place the cost and burden of fraud on consumers and merchants while perpetuating the fundamental vulnerability of publishing and accepting primary account numbers in the clear. While EMV is now almost universally implemented and accepted, the brands still have no plan to eliminate the magnetic stripe vulnerability. Online merchants should use check-out proxies, like PayPal and Apple Pay, in lieu of accepting credit and debit card numbers in the clear. Consumers should prefer mobile payment systems to the use of credit and debit cards.

Read more in

DEF CON: IoT Hardware Random Number Generator Weaknesses

In a DEF CON talk, researchers from Bishop Fox describe issues with hardware random number generators (RNGs), noting that “every IoT device with a hardware random number generator (RNG) contains a serious vulnerability whereby it fails to properly generate random numbers, which undermines security for any upstream use.” The researchers write that IoT needs a cryptographically secure pseudo-random number generator (CSPRNG) subsystem.

Note

  • Random number generators in IoT devices have been recognized as an IoT problem for a while. For larger systems, advanced CPU features or in some cases even add-on hardware can be used to create quite good streams of random numbers. But for IoT devices, cost cutting and limited features often leads to very predictable execution paths which in turn lead to more predictable random numbers. This is probably best addressed by adding specific entropy sources to IoT CPU designs. These design changes are cheap and can be very effective.
  • Creating code that uses good pseudo-random numbers, let alone cryptographically secure ones, takes extra work which is easily dismissed as not worth it. Identify functions which must have CSPRNG and verify those as part of your SDLC. Where possible leverage built-in capabilities found on system-on-a-chip devices, the call that consistently throughout your code. For users of IoT devices, limit connections, inbound and outbound where possible to reduce exposure of insecure access controls.

Read more in

Google is Previewing Unattended Project Reminder

Google is previewing a new Active Assist feature designed to help users identify and manage inactive cloud computing projects. Unattended Project Reminder generates recommendations to help users with “discovering, reclaiming, and shutting down unattended projects.”

Read more in

FTC Warns of SMS Phishing Scheme

The US Federal Trade Commission (FTC) is warning of an SMS phishing campaign that attempts to harvest personally identifiable data of people applying for unemployment benefits. The phony messages impersonate various state agencies and provide links to maliciously crafted websites designed to look like the state agencies’ sites.

Note

  • While the advice to users is similar for email and SMS Phishing attempts, SMS messages don’t have the benefit of screening by your corporate protections. Users still need to beware of unexpected links in SMS messages and to consider the source carefully before acting. Consider blocking unknown SMS senders. Spam filters for SMS rely on sending all SMS messages to a third party for analysis, so you need to consider the risk and privacy impacts before enabling those services.
  • I don’t know about you, but I have personally seen a jump in SMS phishing (sometimes called Smishing) attacks also. Cyber criminals are extremely adaptable. If they perceive organizations (and people) are getting better at spotting email phishing attacks, they will quite readily jump to other mediums (texting, social media, voice). When training your workforce how to spot any type of attack, don’t focus on the medium (email vs. texting, etc.), focus on the common indicators they all share. That way as cyber criminals jump from one technology to the next, your workforce is trained and can spot the attacks.
  • Not sure if there is an overall uptick. But there are some pretty odd brazen attempts I have seen recently. For example: isc.sans.edu: Is this the Weirdest Phishing (SMishing?) Attempt Ever?

Read more in

Pegasus Spyware

The most recent version of Pegasus can be installed in targeted mobile devoices without user interaction and without notification. The targeted device must have a vulnerable operating system or app. Once installed, Pegasus can access virtually everything on the device. Pegasus manufacturer NSO Group maintains that it sells the spyware only for government use in tracking criminals and terrorists. Information recently released by the Pegasus project, a consortium of media organizations and journalists from 10 countries, indicates that the spyware has been used to target heads of state, activists, and journalists.

Note

  • The Amnesty International Security Labs report provides insight as to where and how Pegasus is introduced onto mobile devices. They have released both their IOCs as well as their MVT tool for analysis of Android devices and iOS backups. You may want to leverage these to double-check devices, particularly for potentially targeted individuals.

Read more in

Vulnerabilities in Arcadyan Routers

Researchers from Tenable have identified three vulnerabilities that affect routers made by Arcadyan; researchers from Juniper Threat Labs say that one of the flaws (CVE-2021-20090) is being actively exploited in the wild. That vulnerability affects devices from 20 vendors; the other two vulnerabilities appear to affect only Buffalo WSR-2533 routers.

Note

  • The Arcadyan firmware is installed in 17 varieties of home, SMB and ISP provided routers. The exploit attempts to install a version of the Mirai malware. Mitigate the risk by installing updates as they are available. Leverage IOC information in the Juniper blog to detect attempted access and/or downloads.

Read more in

Cisco Releases Updates to Address Two Vulnerabilities in VPN Routers

Cisco has released updates to fix critical pre-auth vulnerabilities in the web-based management interface of Cisco Small Business RV340, RV340W, RV345, and RV345P Dual WAN Gigabit VPN routers. Running firmware older than release 1.0.03.22. The flaws could be exploited to execute arbitrary code and create a denial-of-service condition.

Note

  • The Cisco VPN Routers in question are from the Cisco Small Business Unit, which has almost nothing to do with Cisco’s enterprise product software. It’s a completely separate operating system and hardware line. Unfortunately, it does have the Cisco name on it, so many small business customers will purchase it. This is a tragic scenario because these bugs hit companies that may not have all of the other security controls a large organization will have, and may not even patch these systems. This may go unnoticed for quite a while, and may only get addressed if they replace the product in the future. What we have seen is that for “Remote Management” these systems may have their Web Management right on the internet. Since these are VPN Routers, we would not expect that they are all behind a NAT so they may be internet facing.
  • These are pre-authentication vulnerabilities, exploitable via the web-based management interface which cannot be disabled on the local LAN connection. Take three steps now: apply the firmware updates; make sure that the management interface is disabled on the WAN connection and review your configuration to make sure it is unaltered. There are no workarounds.
  • This brings the total vulnerability count to 7 over the last couple years, for this particular router’s web admin interface. If you believe that they found them all: Please allow worldwide access to the admin interface. If you feel like there may be a couple more vulnerabilities that haven’t been found/patched yet: Disable access from anything but a few administrator IPs.

Read more in

Microsoft Edge Super Duper Secure Mode

Microsoft’s Edge Vulnerability Research (VR) team is reportedly working on a “super Duper Secure Mode “ feature for the browser. The feature turns off the JavaScript just-in-time (JIT) compiler. The VR team writes that “our hope is to build something that changes the modern exploit landscape and significantly raises the cost of exploitation for attackers.”

Note

  • Browsers are the first point of contact between both users and content and users and attacks. Over the years much more effort has gone into making browsers faster and fancier, vs. more secure. In recent years, Google, Mozilla and now Microsoft are adding much needed focus on “safety-first.” While the market share of the Edge browser is under 10%, Microsoft quotes numbers that say more than half of Chrome exploits take advantage of flaws in the JIT compiler. Microsoft’s first look at performance degradation with JIT disabled also showed minimal performance impact.
  • The JIT compiler allows JavaScript to achieve near C++ performance speed and a significant number of CVEs are related to the V8 JIT. (TurboFan/Sparkplug). The idea is to disable the JIT and enable other arbitrary-code-execution mitigation options such as Arbitrary Code Guard (ACG) and Controlflow-Enforcement Technology (CET) while maintaining compatibility and speed. Initial tests show performance hits under 15%, Web Assembly is not supported and only CET is enabled. You can enable and test SDSM at edge://flags in the Edge Canary, Dev and Beta versions.
  • The main purpose of the JavaScript JIT compiler is to optimize JavaScript and to make it faster. We will see if a browser without JIT will still be usable given the immense JavaScript code bloat on many sites. I assume Microsoft is working on making JavaScript perform without JIT compiler.

Read more in

Western Australia Auditor General Examines Government Employee Exit Controls

An audit conducted by Western Australia’s Auditor General found that some former government staff members still had access to IT systems. The audit examined employee exit controls at the Department of Planning, Lands and Heritage, the Department of Finance, and the Department of Local Government, Sport and Cultural Industries. It took an average of seven days following an employee leaving an agency for access to be deactivated.

Note

  • Access to systems, and resulting damage, by former employees is a legitimate threat and accounts need to be disabled immediately on separation. Resist temptation to “hold accounts open” for employees who will be returning in a new status (e.g. consultant); rather review the needed privileges in the new role, only granting those needed, just as you would a new hire.
  • Establishing and monitoring “Time to Remove Access” metrics is easy to do and very valuable. Checking that parameter should be part of every security controls test or audit. The Western Australian report showed an average of 7 days between employee termination and IT access removal, but had outliers of up to 161 days. The usual major problem is reliance on multi-step, undocumented people-driven processes vs. some level of integration between HR databases/systems and access removal.
  • We continue to be better at getting separated employees off the payroll than at revoking their IT privileges. Payroll is almost always a single point of control while IT privileges may come from many sources.

Read more in

Mitsubishi Safety PLC Vulnerabilities

Mitsubishi has to address five vulnerabilities affecting its safety programmable logic controllers (PLCs). All five flaws are related to the authentication implementation of the MELSOFT communication protocol. Mitsubishi has suggested mitigations for the vulnerabilities, but fixes are not yet available. Nozomi Networks discovered the flaws and disclosed them to Mitsubishi.

Note

  • The core issue is that the username and passwords are not adequately protected (think cleartext) between the engineering workstation and the PLC. Patches are not available yet. Mitigate the risk by limiting the devices which can access the PLC and protecting that communication link via segmentation or other encapsulation. Once patched, limiting access to only authorized devices remains a good practice.

Read more in

INFRA:HALT TCP/IP Stack Vulnerabilities

Forescout Research Labs and JFrog Security Research have disclosed more than a dozen vulnerabilities affecting TCP/IP stacks in NicheStack. The flaws could be exploited to allow remote code execution, TCP spoofing, DNS cache poisoning, to leak information, or to cause denial-of-service conditions. The flaws, which are known collectively as INFRA:HALT, affect all versions of NicheStack prior to version 4.3.

Note

  • Big thanks to this group of researchers for doing the work companies developing this code should have done 20-30 years ago. But I am afraid much of the effort will be in vain as this code is embedded in countless unaccounted for devices that will never be patched until a lightning strike carries them across the IoT rainbow bridge to a land without invalid TCP/IP packets.
  • The exploit uses DNS to deliver shell code, which means that attacks are still possible if your segmented network has routes to public DNS servers. Other exploits leverage the HTTP server and malformed packets. The best mitigation will be to apply updates when available. Until then, disable the DNS client or block the traffic if not needed, disable or access to the HTTP server, and monitor/block malformed IP and ICMP packets.

Read more in

Old Versions of Android Will be Prevented from Accessing Google Services

As of September 27, 2021, devices running Android versions 2.3.7 and older will no longer be able to access Google services. The decision was made due to security issues. Google is urging users running old versions of Android to update to version 3.0 or newer.

Note

  • Android 2.3.7, aka Gingerbread, was released in December 2010. It’s time to replace those devices; there are no security updates, and compatibility with applications is going to be more miss than hit. As an enterprise you should have already set a base version of Android 11, and be assessing when you can move that minimum to Android 12. Be sure to also enforce the minimum for users establishing remote connections.
  • It’s interesting that Google has taken the step to abandon 2.3.7. It would be interesting to see if they are doing this for “Security Reasons” or more practically maybe they are getting rid of specific API’s that those products used. 2.3.0 was released in 2010 and after 11 years, it’s probably time to discontinue it. It would be interesting to see if these devices continue to live through 3rd party services that are not Google. Those would be a lower trust offering potentially. Several statistics on the internet show that “Other” category for versions of Android this old (older than 3.0) at under 1%. 1% of 2 Billion Android phones would be 20 million. Hopefully it’s a smaller number than this.

Read more in

Senate Report on US Federal Agency Cybersecurity

According to a report on federal cybersecurity from the US Senate Homeland Security and Governmental Affairs Committee, seven of eight agencies reviewed received a grade of “C” or “D” for cybersecurity. The report found that the majority of the eight agencies were using unsupported systems and applications; failed to install patches and other vulnerability remediation in a timely manner; did not provide adequate protection for personally identifiable information; and did not maintain accurate and comprehensive IT asset inventories.

Note

  • The title pretty much captures it all: “Federal Cybersecurity: America’s Data *Still* at Risk” Not much progress since the 2019 report but the pandemic year had major impacts – IT operations were consumed just keeping remote work running and time to patch and other key security metrics suffered.
  • Knowing what you have, what it’s supposed to be running, keeping it patched, and monitoring are core critical controls. Agencies are often faced with the daunting task of consuming the NIST cyber security framework and SP 800-53, which can distract them from which controls should be prioritized, simplification is needed to facilitate understanding and mandates such as CDM, Einstein, FISM reporting and assorted BODs consume available resources. As the report suggests, CISA is well positioned to offer services to agencies to help them improve their security posture; even so that support has to be accompanied with ongoing funding for staff, training and licenses to maintain a sufficient level of protection.
  • Many of these findings would be true of many private enterprises.

Read more in

Telegram for Mac Bugs Allow End Run Around Secret Chat Features

Bugs in Telegram for Mac allow users to save messages that are supposed to self-destruct after and to retrieve deleted messages. Messages sent in Secret Chat mode are protected with end-to-end encryption and are set to automatically self-destruct, and disappear from all devices after a set amount of time. Telegram has fixed the flaw that allows Secret Chat messages to be saved indefinitely but declined to fix a flaw that let users retrieve deleted messages.

Read more in

Water Utility Cybersecurity Concerns

A report from ThreatLocker examines the challenges water utilities encounter while trying to improve their cybersecurity posture. The report notes water utilities’ “limited IT and OT financial resources,” and the lack of clear regulatory guidelines.

Note

  • One of the ways to address the cybersecurity gap at utilities is to hire a larger organization to provide shiny cloud based secure options for them. The danger is they may be buffaloed by fancy talk and promises that they may not have the knowledge or skills to challenge. If you’re an operator, review the ThreatLocker report and use the recommendations on how to focus the EPA’s WSCRMG guidance to drive improvements internally or drill down with your service provider to provide written understandable approaches to address all the suggest controls.
  • One of the lessons highlighted in the report was the need for multi-party controls over critical functions. This will offer resistance to both attacks from outsiders and the more likely insider error.

Read more in

Joint Cyber Defense Collaborative

The US Cybersecurity and Infrastructure Security Agency (CISA) has launched the Joint Cyber Defense Collaborative (JCDC), an initiative to “will bring together public and private sector entities to unify deliberate and crisis action planning while coordinating the integrated execution of” the country’s cyber defense plans.” JCDC members include public and private sector organizations, including Amazon Web Services, AT&T, Google Cloud, Microsoft, FireEye Mandiant and Verizon, the FBI, the Department of Defense, the Department of Justice, and the National Security Agency. (Please note that the WSJ story is behind a paywall.)

Note

  • You need to participate in this effort. Connection with resources and information sharing across the public and private sectors will provide access to high-quality recommendations and services which will aid planning of defenses and implementations. It will also connect you to a network of resources and expertise you might not otherwise have access to.

Read more in

Healthcare Organizations Operating Under EHR Downtime Following Cyberattacks

Two US healthcare systems have reportedly been hit by cyberattacks that have caused them to operate under electronic health record (EHR) downtime. News outlets are reporting that Eskanazi Health in Indianapolis was the victims of a ransomware attack. Sanford Health in South Dakota is said to be “taking aggressive measures to contain the impact” of a cybersecurity incident.

Note

  • Aggressive measures for those not yet compromised must include isolating the high-risk applications, e-mail and browsing, from electronic healthcare systems.

Read more in

CISA Vulnerability Disclosure Policy Platform

The US Cybersecurity and Infrastructure Security Agency (CISA) has launched a vulnerability disclosure policy (VDP) platform that supports its Binding Operational Directive 20-01 requiring federal agencies to establish VPDs.

Note

  • Agencies have until September 2, 2022 to have all internet accessible systems in scope. Policies and contacts had to be published within 180 days, and after 180 days any new internet-accessible systems were automatically in scope. Identification of existing systems in scope was required 270 days from the issuance of BOD 20-01, June 1, 2021, with additional systems required every 90 days until all internet accessible systems are listed as in scope. The challenge is developing procedures to track, coordinate and resolve reported issues, which may impact federal incident reporting activities. The BOD provides references and resources needed to develop a VDP. Before you go testing an agency’s system, check their web site under /vulnerability-disclosure-policy to see what is permitted/in-scope.
  • Back in 2017 the US Department of Justice put out a solid framework for Vulnerability Disclosure Programs – good to see CISA making standard VDPs a requirement across federal systems. They now provide a template complying with this BOD. One nit: while the BOD does require the policy to be published at a standard URL across government systems, it is *not* an easy to guess URL. I’d like to see requirements that all federal home pages include a visible link to vulnerability reporting information.

Read more in

SolarWinds Threat Actors Breached US Federal Prosecutors’ eMail Accounts

The US Department of Justice (DoJ) has issued an updated statement on SolarWinds to include information that the threat actors behind the SolarWinds supply chain attack also compromised Microsoft Office 365 accounts in 27 federal prosecutors’ offices. The threat actors had access to the accounts between May 7 and December 27, 2020. The compromised information includes “all sent, received, and stored emails and attachments found within those accounts during that time.”

Note

  • We knew the fallout from the SolarWinds compromise was going to be bad, but this points out how really, really bad the damage has been. In the SANS 2021 New Attacks and Threat report, SANS Fellow and instructor Ed Skoudis detailed the key mitigation needs to minimize damage from what he called “Software Integrity Attacks.” Details at www.sans.org: A SANS 2021 Report: Top New Attacks and Threat Report
  • Review administrator access to your cloud services. Make sure that service administrators use a separate account to manage the service versus accessing it as an end-user. Require multi-factor authentication on all accounts, especially administrators. Additionally, if you have “break-glass” or other administrator accounts which are single factor, secure those passwords, and monitor their use closely to detect abuse.

Read more in

Android VNC Malware

Android remote access trojan (RAT) can steal sensitive information from infected devices. The malware uses Virtual Network Computing (VNC) remote screen sharing technology to steal data. The malware spread via the Google Play Store in an app called “Protection Guard,” which was installed more than 5,000 times.

Note

  • Malware allowing interactive control over a particular mobile device has been used for more sophisticated social engineering attacks. An attacker, while on the phone with a victim, is able to manipulate the screen to for example affect the user’s session as they log into their legitimate online banking website.
  • Unlike prior malware which used an HTML overlay to capture credentials, the “Vultur” RAT uses VNC to capture keystrokes and record screens, removing the need to create custom overlays and the effort required to install them. It does leverage an overlay to trick the user into granting permission. The malicious apps have been removed from the play store and play protect will remove them from affected devices. Even so, use caution when granting app permissions, and only install apps from well-known developers in the legitimate app store. (Google Play, or your corporate app catalog)
  • The app stores are intended to distribute. They are “suppliers,” but of code developed by others. While they have distributed malicious apps, they have done a pretty good job of detecting and eliminating them. Users should limit downloads to code that they are sure they are going to use. In deciding whether to download, they should look beyond the stores to the developers.

Read more in

Spoofing Ship Locations

Data analysts from SkyTruth and Global Fishing Watch have found that ships’ locations have been spoofed via the automatic identification system (AIS). International law requires most commercial ships to have AIS transponders. While military ships are exempt from the requirement, many use AIS transponders under an alias while navigating busy areas.

Note

  • The maritime AIS system is set up like the ADS-B system used for aviation. The signals are not encrypted as they are intended to be seen by everybody in the vicinity of the vessel. Theoretically, it would be possible to digitally sign the signals, but that would require a global key infrastructure. Spoofed AIS signals have frequently been observed in areas where boats attempt to conceal illegal activity. This can be dangerous if a ship conceals or alters its location.
  • The maritime AIS system is set up like the ADS-B system used for aviation. The signals are not encrypted as they are intended to be seen by everybody in the vicinity of the vessel. Theoretically, it would be possible to digitally sign the signals, but that would require a global key infrastructure. Spoofed AIS signals have frequently been observed in areas where boats attempt to conceal illegal activity. This can be dangerous if a ship conceals or alters its location.
  • Regardless of what marketing says, not every threat can be emulated during a red team or pentest engagement. Tabletop exercises and cyber ranges can be good complements, helping organizations understand their larger risk profile.

Read more in

Swisslog Issues Updates to Fix Vulnerabilities in Pneumatic Tube Firmware

Swisslog Healthcare has released updates to fix vulnerabilities in the Nexus Control Panel of its TransLogic pneumatic tube system (PTS) stations. The pneumatic tube systems used in many hospitals to transport medicine and lab samples in more than 3,000 hospitals around the world. Researchers at Armis found nine critical vulnerabilities in the TransLogic PTS system.

Note

  • If you have an affected system, until updated firmware can be deployed, follow the mitigations in the Armis PwnedPiper report including blocking Telnet (port 23) on Translogic PTS stations, implement segmentation or other access controls to limit PTS components to only communicate with the Translogic central server (SCC) and deploy the provided Snort IDS rules to detect attempted exploits.

Read more in

Hackers Exploited Exchange Flaws to Steal Data from Telecom Companies in Southeast Asia

Researchers from Cybereason have found that hacking groups with ties to China’s government exploited vulnerabilities in Microsoft Exchange to steal information from cellular network providers in southeast Asia.

Read more in

EU Regulators Fine Amazon Nearly $900 Million for GDPR Violations

The National Data Protection Commission (CNPD) has fined Amazon €746 million ($ 886 million) for violations of the European Union’s General Data Protection Regulation (GDPR). The fine was disclosed in an Amazon filing with the US Securities and Exchange Commission (SEC).

Note

  • At core here is the use of personalization practices which tailor advertising related to a web service such as Amazon. If you’re providing a service that is personalized based on user activities, work closely with your legal team to not run afoul of GDPR or similar privacy legislation.
  • That is almost a 3% hit on Amazon’s CY 2020 profits – or almost all the profit they made from the sales across the annual “Prime Day” event. To paraphrase an old saying: A billion here, a billion here adds up to *real* money – protecting users privacy rights can meaningfully increase profit margins.
  • In addition to imposing the fine, the regulators mandated procedural changes. It should be noted that Amazon claims that the findings are “without merit” and says that it will appeal. What is significant is that “the game is afoot.”

Read more in

Police Accessed Western Australia’s COVID-19 Tracing App Data

An audit report regarding Western Australia’s SafeWA COVID-19 contact tracing app reveals that police accessed the app’s data and that the app itself contained security flaws. In the report, the Auditor-General of Western Australia expressed concern that the personal data the app collected were used for purposes other than contact tracing. Western Australia released the SafeWA app in November 2020.

Note

  • Understand the legislative controls regarding access to data you safeguard on behalf of others. Ensure that data you’ve collected for an identified purpose is only used as intended, particularly HIPAA and PII data which are provided with specifically identified consent or purpose. If you’re in a bind where a legal mandate is asking for access to your data, make sure that you’ve consulted with both your regulator and legal team before releasing it.
  • The temptation for the police to abuse and misuse any data held by government is all but irresistible. In the US we have been doing contact tracing for more than 100 years with few reported cases of abuse. However, the potential for abuse interferes with the legitimate purpose of the data. People do not need much of an excuse not to cooperate.

Read more in

Florida Medical Practice Data Breach

The Orlando Family Physicians medical practice has acknowledged a data breach that affects the protected health information (PHI) of nearly 450,000 people. In a notice of security incident, Orlando Family Physicians writes that “a recent phishing email incident … potentially resulted in unauthorized access to personal information of four employees’ email accounts.” The initial breach occurred in April 2021.

Note

  • Isolate the vulnerable applications of e-mail and browsing from mission critical applications and sensitive data.

Read more in